© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Exposed FCM keys leaves billions of users open to mass spam and phishing notifications

by Bernard Meyer
2
Neon version of Google's logo

[Updated August 27]

The FCM exploit originally discovered by security researcher Abss seems to have hit Microsoft Teams as well. Users have reported receiving mass spam push notifications early in the morning. The news has hit Reddit, with hundreds of users discussing the FCM spam:

reddit
Test Notification FCM

While Abss originally showed that the FCM exploit was possible with his proof of concept, users are now receiving mass spam notifications that seems to point that someone has performed this attack in the wild:

Users in Germany discussing on Reddit how they received multiple FCM spam notifications
Users in Germany discussing on Reddit how they received multiple FCM spam notifications

I checked in with Abss again, who believes that the latest issue of Microsoft Teams getting FCM notifications is most likely related. He estimated that around 15% of all apps using FCM could be affected by this exploit, which means it's likely to continue unless developers actively mitigate the issue.

A screen capture of the type of spam FCM notifications from MS Teams
A screen capture of the type of spam FCM notifications from MS Teams

Abss told CyberNews: "If you receive the message, there's really no way to tell if it was intended by the Google/Microsoft teams or if it was a curious hacker. It's up to either Google or Microsoft to find that out." However, he had some good news for users receiving the message: "There's no need to worry if you get the message. However, beware that the content of the notification can be controlled by the attacker. It can also contain images (yes, including graphic and disturbing images), so beware of the content and don't follow any links."

The original article follows below.

New vulnerabilities involving Google’s Firebase Cloud Messaging (FCM) service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

First described in Abss’ blog post, which is a technical walk-through of the vulnerability, the Firebase Cloud Messaging exploit could allow attackers to send any push notifications to billions of app users, even if those users weren’t subscribed to the various apps’ push notifications. As reward for finding these vulnerabilities in the various apps, Abss and his team received $30,000 in bounties.

The problem lies with how sensitive data – here, API keys – was exposed in the app code (for Android, this is an APK file), allowing anyone to see it if they just dug enough. 

In fact, that’s exactly how Abss was able to discover this particular exploit. “I love taking time to understand things and to slowly connect the dots. The process of finding this was similar,” Abss told CyberNews. After digging through the APK’s .xml and .smali files, the recent Computer Science grad found keys that he thought may be sensitive (rather than ones intended to be made public). 

“After initially observing these weird keys and their variable names, I started reading a lot of documentation on Firebase Cloud Messaging.”

Picture of Abhishek Dharani, the Bangalore-based security researcher better known as “Abss.”
Abhishek Dharani, the Bangalore-based security researcher better known as “Abss.”

The most likely attacks using the Firebase vulnerability

After connecting the dots, Abss noticed that he – or any malicious attacker – would be able to abuse the logical conditions and expressions for the Firebase Cloud Messaging system. With this, he could broadcast malicious push notifications to any user of an Android app using Firebase Cloud Messaging Service. 

Using this manipulation, an attacker could even send notifications to users who did not subscribe to receive notifications. 

With the help of his friend Yash Sodha, Abss found a list of highly popular affected apps that include:

  • Google Play Music (5 billion installs)
  • Google Hangouts (1 billion installs)
  • YouTube Music (100 million installs)
  • YouTube Go (500 million installs)
  • Smule Autorap (10 million installs)
  • Smule - The Social Singing App (100 million installs)
  • Deliveroo (10 million installs)

There also seem to be reports that Microsoft Teams may have fallen victim to this FCM exploit, and there are certainly many other apps that are vulnerable.

A forum on Microsoft's site discussing the new FCM message notification attack
A forum on Microsoft's site discussing the new FCM message notification attack

In total, removing some likely audience overlap, billions of users were exposed to this exploit.

A proof of concept of Abss successfully manipulating push notifications for Google Play Music
A proof of concept of Abss successfully manipulating push notifications for Google Play Music

Certainly, the amount of damage bad actors could do with such a vulnerability is limited only by the attacker’s creativity. The major, immediate impact could be a coordinated political intervention, in which an attacker could send mass notifications to billions of these app users favoring one political candidate over another, or spreading false news about a certain candidate, especially since it would come from such a tech titan as Google. 

Attackers could also use the Firebase vulnerability to send mass phishing notifications. “Assume a 0.5% success rate on a 1 billion userbase!” Abss wonders. Certainly, that would be a highly successful campaign in terms of absolute numbers, netting the attackers potentially millions of dollars. 

Another way for attackers to exploit this vulnerability would be to cripple other businesses’ reputations, including the very app that the notifications are being sent on. 

Abss notified the affected vendors of the issue beginning in February, and Google in April. While all issues were patched in July, some vendors have not yet agreed to a public disclosure.

According to a Google I/O Firebase presentation in 2017, more than 1 million developers have built apps with Firebase:

What's New in Firebase (Google I/O '17) video screenshot

While Abss notified the affected vendors for the apps he analyzed, he believes that there are many app developers with Firebase projects whose apps may still be affected. “My research sourced keys only from mobile app code. Keeping in mind different sources such as GitHub, Gitlab, BitBucket and others that could expose such keys, I would say a good 15% of existing apps might be vulnerable at the given moment,” says Abss.

In that case, developers should check their apps for any potential vulnerable keys. “In order to stop this kind of attack,” Abss told CyberNews, “the organisation has to quickly disable or delete the keys.”

For his and his team’s work, Abss has netted $30,000 in bounties so far, as well as a Google Covid-19 vulnerability research grant.

Protect yourself online with our hand-picked digital privacy tools

Antivirus software

VPN

Password managers

Share
Tweet
Share
Share
Share
Comments
greg oldman
greg oldman
prefix 1 year ago
Add firefox for android to that list, it contains the firebase tracker.
Tyreese
Tyreese
prefix 1 year ago
This firebase exploit can and probably will lead to many illegal actions as mentioned in your article: “Assume a 0.5% success rate on a 1 billion userbase!”
That’s a huge risk! As far as I understand, now it’s up to developers of the apps to check and fix it, right? So, it might take a lot of time to patch this sh&*^
Leave a Reply

Your email address will not be published. Required fields are marked